Threat Hunting is quickly becoming common practice in Security Operation Centers (SOCs). While many security analysts undertake hunting either formally or informally (86% according to a recent SANS Institute survey) hunts are often limited by the data that is available to them. This post explores how the unification of network and endpoint data can increase the effectiveness of threat hunts.
What is hunting?
Hunting is the proactive, iterative process of searching for threats that evade an organization’s existing security solutions. Many of the techniques involved in threat hunting are already practiced informally across many security operations centers. For example, as defined in Sqrrl’s Hunting Maturity Model, Level 1 hunting includes basic threat indicator search. But, organizations can achieve higher levels of hunting maturity by leveraging advanced analytical tools, such as User and Entity Behavior Analytics (UEBA).
Which datasets can be used to hunt?
A hunter should aim to have total visibility over the IT assets, risks, and flows within his or her enterprise.The datasets needed for this type of visibility break down into three broad categories:
- Network datasets (e.g. proxy logs, authentication, DNS, etc.) are those things that were actually transmitted over the wire, describing the interactions of entities, such as users, endpoints, IPs and domains across a network. Using these interactions, hunters are able to identify an adversaries activities within the network.
- Host datasets (e.g. authentication, process creation, vulnerability scans, audit logs, etc.) are those events that occur on the computers in the environment.
- Application datasets (e.g. DB queries, security alerts, transaction alerts, etc.) are events logged by the programs running in the environment.
In general, network data can give analysts a higher level view of patterns and events going on across an entire network or specific subnet. Host and application data (together, endpoint data) give analysts a far more granular access to what might be happening on individual machines. Together, these three datasets provide a comprehensive map the enterprise, giving a multi-level view of what might be going on, and are most effectively used in tandem by hunters to detect advanced threats.
How are Sqrrl and Carbon Black addressing the challenge?
Unfortunately for hunters, until very recently there was no unified platform that allowed analysts to easily pivot between network data and endpoint data.
Now there is.
Bringing together network hunting and endpoint hunting greatly expands the view and certainty with which an analyst can detect threats. The Sqrrl/Carbon Black integration fuses rich endpoint data from Carbon Black with network, identity, and threat intelligence data within Sqrrl’s threat hunting platform. The integration provides hunters with a complete picture of threat activity, from high to low level. Sqrrl also provides UEBA capabilities to identify risky users and entities and present them in threat hunting dashboards and profiles.
Why is a comprehensive endpoint-to-network hunting model useful?
Once an endpoint has been identified as having been potentially compromised, the access to process-level data in Sqrrl’s Behavior Graph enables an analyst to determine what other hosts might be running same processes, which would indicate that they are similarly compromised
While hunting with endpoint or network data alone can certainly be effective, uniting the datasets increases the effectiveness of hunts and can also increase the efficiency of incident investigations and response. For example, in the case of investigating a suspicious external IP connected to your network, being able to see that a malicious process from a host machine connected to that external IP gives an additional level of context and clarity to that investigation.
Another example: On the network, an analyst might be able to identify beaconing from one or more machines and process-level data helps them perform more in-depth root cause analysis. Perhaps, they might even discover other affected machines (using binaries associated with bad machines) that have not begun to beacon, but are infected with the same family of malware.
Together, network and endpoint datasets help hunters more quickly and thoroughly identify threats.
On July 19, 2016 at 2 PM ET Sqrrl and Carbon Black are collaborating on a threat hunting webinar. Please register here. This blog is an introduction to that webinar.
Tune into the webinar to learn more.